Bug 981469

Summary: need to set net.bridge.bridge-nf-call-iptables=1 for --allinone installation
Product: Red Hat OpenStack Reporter: Stephen Gordon <sgordon>
Component: doc-Installation_and_Configuration_GuideAssignee: Bruce Reeler <breeler>
Status: CLOSED NOTABUG QA Contact: ecs-bugs
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: aortega, breeler, derekh, enakai, jkt, rlandman, sgordon, slong, sradvan
Target Milestone: asyncKeywords: Documentation, Triaged
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 981144 Environment:
Last Closed: 2014-03-21 02:15:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 981144, 997941    
Bug Blocks:    

Description Stephen Gordon 2013-07-04 20:26:39 UTC 
Cloning for documentation in case this proves to be required, follow up on outcome of Bug # 981144 to be sure.

+++ This bug was initially created as a clone of Bug #981144 +++

Document URL: 
https://access.redhat.com/site/documentation/en-US/Red_Hat_OpenStack/3/html-single/Getting_Started_Guide/index.html#sect-Quick_Start_Deployment_using_PackStack

Section Number and Name: 
4.1. Quick Start Deployment using PackStack

Describe the issue: 
For the single node deployment with "packstack --allinone", following kernel parms should be set so that the security group works correctly.

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1

Suggestions for improvement: 

Add the following steps after "packstack --allinone".

1) Create the following script to load bridge module at boottime. (Without this, settings in /etc/sysctl.conf cannot be applied at boottime.)

/etc/sysconfig/modules/openstack-quantum.modules 
-----------------
#!/bin/sh
modprobe -b bridge >/dev/null 2>&1
exit 0
-----------------

2) Set the following in /etc/sysctl.conf
-----------------
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
-----------------

Additional information: 

# rpm -qa | grep packstack
openstack-packstack-2013.1.1-0.20.dev632.el6ost.noarch

# rpm -qa | grep quantum
openstack-quantum-openvswitch-2013.1.2-3.el6ost.noarch
python-quantum-2013.1.2-3.el6ost.noarch
openstack-quantum-2013.1.2-3.el6ost.noarch
python-quantumclient-2.2.1-1.el6ost.noarch

--- Additional comment from Stephen Gordon on 2013-07-04 16:25:25 EDT ---

(In reply to Etsuji Nakai from comment #0)
> Describe the issue: 
> For the single node deployment with "packstack --allinone", following kernel
> parms should be set so that the security group works correctly.
> 
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> net.bridge.bridge-nf-call-arptables = 1

If this is actually the case I think the correct approach is to update PackStack to handle this, not document around it (though if these steps are required I am sure we will need to cover it in the other guide for users performing manual setup).
Comment 1 Bruce Reeler 2014-03-21 02:15:35 UTC 
Parent bug BZ981144 fixed this issue in PackStack, so it did not need documenting.
Hence, closing as NOTABUG.